pub struct Verifier { /* private fields */ }Expand description
A verifier for Sigstore signatures
Implementations§
Source§impl Verifier
impl Verifier
Sourcepub fn new(trusted_root: &TrustedRoot) -> Self
pub fn new(trusted_root: &TrustedRoot) -> Self
Create a new verifier with a trusted root
The trusted root is required and contains all cryptographic material needed for verification (Fulcio CA certs, Rekor keys, TSA certs, etc.)
Sourcepub fn verify<'a>(
&self,
artifact: impl Into<Artifact<'a>>,
bundle: &Bundle,
policy: &VerificationPolicy,
) -> Result<VerificationResult>
pub fn verify<'a>( &self, artifact: impl Into<Artifact<'a>>, bundle: &Bundle, policy: &VerificationPolicy, ) -> Result<VerificationResult>
Verify an artifact against a bundle
The artifact can be provided as raw bytes or as a pre-computed SHA-256 digest. When using a pre-computed digest, the raw bytes are not needed, which is useful for large files or when the digest is already known (e.g., from a registry).
§Example
use sigstore_verify::{Verifier, VerificationPolicy};
use sigstore_trust_root::TrustedRoot;
use sigstore_types::{Artifact, Bundle, Sha256Hash};
let trusted_root = TrustedRoot::production()?;
let verifier = Verifier::new(&trusted_root);
let bundle: Bundle = todo!();
let policy = VerificationPolicy::default();
// Option 1: Verify with raw bytes
let artifact_bytes = b"hello world";
verifier.verify(artifact_bytes.as_slice(), &bundle, &policy)?;
// Option 2: Verify with pre-computed digest (no raw bytes needed!)
let digest = Sha256Hash::from_hex("b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9")?;
verifier.verify(digest, &bundle, &policy)?;In order to verify an artifact, we need to achieve the following:
- Establish a time for the signature.
- Verify that the signing certificate chains to the root of trust and is valid at the time of signing.
- Verify the signing certificate’s SCT.
- Verify that the signing certificate conforms to the Sigstore
X.509 profile as well as the passed-in
VerificationPolicy. - Verify the inclusion proof and signed checkpoint for the log entry.
- Verify the inclusion promise for the log entry, if present.
- Verify the timely insertion of the log entry against the validity period for the signing certificate.
- Verify the signature and input against the signing certificate’s public key.
- Verify the transparency log entry’s consistency against the other materials, to prevent variants of CVE-2022-36056.
Auto Trait Implementations§
impl Freeze for Verifier
impl RefUnwindSafe for Verifier
impl Send for Verifier
impl Sync for Verifier
impl Unpin for Verifier
impl UnsafeUnpin for Verifier
impl UnwindSafe for Verifier
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more